Supply Chain Incident Notification Laws: A Global Overview

The regulatory landscape for supply chain incident notification has changed dramatically since 2021. The SolarWinds attack prompted governments worldwide to mandate faster and more detailed disclosure when software supply chain incidents affect critical infrastructure and sensitive data. Organizations that have not updated their incident response plans to account for these requirements are operating with significant legal exposure.

This guide covers the major supply chain incident notification requirements across key jurisdictions, with practical guidance on compliance.

United States

CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act)

Signed into law in March 2022, CIRCIA requires critical infrastructure organizations to report substantial cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. The final rule, published in 2024, specifically covers supply chain incidents.

Key requirements:

• Who must report: Entities in the 16 critical infrastructure sectors as defined by Presidential Policy Directive 21
• What must be reported: Substantial cyber incidents, including supply chain compromises that affect the entity's operations
• When: Within 72 hours of reasonably believing an incident occurred
• To whom: CISA (Cybersecurity and Infrastructure Security Agency)
• What to include: Description of the incident, affected systems, impact assessment, indicators of compromise, and actions taken

SEC Cybersecurity Disclosure Rules

The SEC's rules, effective December 2023, require publicly traded companies to disclose material cybersecurity incidents on Form 8-K within four business days of determining that an incident is material. Supply chain incidents that materially affect the company fall under this requirement.

The materiality determination is the critical element. Not every supply chain incident is material. But an incident that compromises customer data, disrupts operations, or creates significant financial exposure likely meets the materiality threshold.

State-Level Requirements

Most US states have their own breach notification laws with varying requirements. Some states have updated their laws to specifically address supply chain incidents:

• New York (SHIELD Act): Requires notification within the most expedient time possible for incidents affecting New York residents
• California (CCPA/CPRA): Requires notification within 72 hours for incidents involving personal information
• Texas (HB 4218): Requires notification to the Attorney General within 60 days for breaches affecting 250 or more residents

European Union

NIS2 Directive

The NIS2 Directive, which EU member states were required to transpose into national law by October 2024, significantly expands supply chain incident notification requirements:

• Who must report: Essential and important entities across 18 sectors (expanded from the original NIS Directive's 7 sectors)
• Early warning: Within 24 hours of becoming aware of a significant incident
• Incident notification: Within 72 hours, including an initial assessment of severity and impact
• Final report: Within one month, including detailed description, root cause analysis, and mitigation measures

NIS2 specifically addresses supply chain security, requiring entities to account for supply chain risks in their security measures and to report incidents that originate from supply chain compromises.

DORA (Digital Operational Resilience Act)

For financial sector entities, DORA adds additional requirements:

• Initial notification: Within 4 hours of classifying an incident as major
• Intermediate report: Within 72 hours
• Final report: Within one month
• Supply chain specific: ICT third-party service providers must report incidents to their financial entity clients without undue delay

GDPR

If a supply chain incident involves personal data, GDPR's 72-hour notification requirement to the supervisory authority applies, along with notification to affected data subjects if there is a high risk to their rights and freedoms.

United Kingdom

NIS Regulations (UK)

The UK retained its version of the NIS Directive post-Brexit, with incident notification requirements for operators of essential services and relevant digital service providers:

• Notification timeline: Without undue delay, and in any event within 72 hours
• To whom: The relevant competent authority (varies by sector)
• What to include: Nature of the incident, impact, and measures taken

The UK government has signaled that it intends to update these regulations to align with the broader scope of NIS2, though specific timelines have not been confirmed.

Australia

SOCI Act (Security of Critical Infrastructure Act)

Australia's SOCI Act, amended in 2022, requires critical infrastructure entities to report cyber security incidents:

• Critical incidents: Within 12 hours of becoming aware
• Other incidents: Within 72 hours
• To whom: Australian Cyber Security Centre (ACSC)
• Supply chain scope: Incidents involving supply chain compromises that affect critical infrastructure assets

Practical Compliance Steps

1. Map Your Notification Obligations

Determine which regulations apply based on:

• Your industry sector and whether you qualify as critical infrastructure
• The jurisdictions where you operate and where your customers are located
• Whether you process personal data (triggering GDPR, state privacy laws)
• Whether you are publicly traded (triggering SEC requirements)
• Whether you provide services to financial institutions (triggering DORA)

Many organizations discover they have overlapping obligations requiring notifications to multiple authorities within different timeframes.

2. Define Incident Classification Criteria

Establish clear criteria for classifying supply chain incidents. Not every vulnerability disclosure or dependency update requires regulatory notification. Define thresholds for:

• Severity: What level of impact triggers a notification obligation?
• Scope: How many users, systems, or records must be affected?
• Data involvement: Is personal data, financial data, or classified data involved?
• Operational impact: Is service availability or integrity affected?

3. Build Notification Workflows

For each applicable regulation, document:

• The notification timeline (hours from incident detection to required notification)
• The notification recipient (which authority, which contact method)
• The required content (what information must be included)
• The responsible person (who in your organization submits the notification)
• The escalation path (what happens if the responsible person is unavailable)

4. Prepare Templates

Pre-build notification templates for each jurisdiction. During an active incident, you do not want to be researching what information a particular authority requires. Templates should include:

• Organization identification and contact information
• Incident description fields (what, when, how)
• Impact assessment fields (scope, data types, operational effects)
• Remediation action fields (what has been done, what is planned)
• Indicator of compromise fields (technical details for authorities)

5. Test the Process

Run tabletop exercises that specifically simulate supply chain incidents requiring multi-jurisdiction notification. Test:

• Can you classify the incident and determine notification obligations within one hour?
• Can you prepare and submit the initial notification within the required timeline?
• Do you have contact information for all relevant authorities?
• Can the process function outside business hours?

How Safeguard.sh Helps

Safeguard.sh supports incident notification compliance by maintaining continuous records of your software supply chain state: which components are in use, when vulnerabilities were discovered, when remediation began and completed, and which policy gates were in effect. When a supply chain incident occurs, these records provide the evidence base for regulatory notifications, including impact assessment data, affected component inventories, and remediation timelines. The compliance reporting engine can generate jurisdiction-specific notification content from this data, reducing the time from incident detection to regulatory notification.